EP3391278B1 - Jeton d'identification à microcontrôleur protégé - Google Patents

Jeton d'identification à microcontrôleur protégé Download PDF

Info

Publication number
EP3391278B1
EP3391278B1 EP16819835.6A EP16819835A EP3391278B1 EP 3391278 B1 EP3391278 B1 EP 3391278B1 EP 16819835 A EP16819835 A EP 16819835A EP 3391278 B1 EP3391278 B1 EP 3391278B1
Authority
EP
European Patent Office
Prior art keywords
microcontroller
token
application
data
protected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP16819835.6A
Other languages
German (de)
English (en)
Other versions
EP3391278A1 (fr
Inventor
Frank Morgner
Micha KRAUS
Paul Bastian
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bundesdruckerei GmbH
Original Assignee
Bundesdruckerei GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bundesdruckerei GmbH filed Critical Bundesdruckerei GmbH
Priority to EP18182580.3A priority Critical patent/EP3428830B1/fr
Priority to EP18182581.1A priority patent/EP3422243B1/fr
Publication of EP3391278A1 publication Critical patent/EP3391278A1/fr
Application granted granted Critical
Publication of EP3391278B1 publication Critical patent/EP3391278B1/fr
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/0716Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips at least one of the integrated circuit chips comprising a sensor or an interface to a sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan

Definitions

  • the invention relates to an ID token having a sensor, a communication interface and a first microcontroller, the ID token comprising a protected second microcontroller having at least one microcontroller communication interface arranged in a receptacle of the ID token, the microcontroller communication interface having a data input and provides a data output.
  • the invention relates to a method for checking measured data of the sensor of an ID token according to the invention and to a system which has such an ID token according to the invention and a reading device comprising a communication interface for exchanging data with the communication interface of the ID token.
  • ID tokens for identifying or authenticating a holder of the corresponding ID token are known from the prior art, for example in the form of documents such as identity cards and passports, but also access cards which are intended to allow a particular person access to a security area, for example. or signature cards that can be used to sign an electronic document.
  • the corresponding documents can not necessarily only be used by the person for whom the ID tokens are provided.
  • the identity of the user is defined solely by the ID token used. For example, any foreign person may use a found ID token, such as an access card, to gain access to a locked area.
  • a solution to this problem for example, provides an additional authentication process in which the user of the ID token an additional security attribute, such as a PIN or a biometric feature, is queried, which does not result from the ownership of the ID token. For example, the user of the ID token is requested to enter a corresponding additional security attribute on a terminal or another external device.
  • an additional security attribute such as a PIN or a biometric feature
  • Another problem in the prior art is potential manipulation attempts on the ID token.
  • an unauthorized person may attempt to gain access to the attributes stored on the ID token for authentication by means of appropriate manipulations on the ID token.
  • there is a risk that the ID token is manipulated such that it indicates the presence of a Although this is not actually the case, the additional security attribute described above is confirmed.
  • An example scenario would be an unauthorized third party that replaces an additional security attribute of the ID token authorized user stored on the ID token, such as a PIN or biometric feature, with a self-selected security attribute, such as a new PIN or biometric Feature of an unauthorized user. Despite the added security attribute, there is a risk of abuse.
  • an additional security attribute of the ID token authorized user stored on the ID token such as a PIN or biometric feature
  • a self-selected security attribute such as a new PIN or biometric Feature of an unauthorized user.
  • the terminal or other external device is subject to the risk of a possible skimming attack.
  • the user can not understand from the outside whether manipulations were made on the input device, with which an attacker can cut / listen to the additional features.
  • the EP 2 575 084 A1 describes techniques to enter a secret into a security token using an embedded tactile sensor user interface to verify the secret against a stored representation of the same secret.
  • a tactile scanning user interface is set up to receive a user-coded secret.
  • a decoding unit is arranged to generate a decoded secret by decoding the user-encoded secret.
  • a comparison unit is arranged to compare the decoded secret with a copy of the secret stored in the token to verify the authenticity of a user. This provides the security token with matching functionality on a map.
  • the present invention is based on the object of preventing the problem described above of an illegal use of an ID token.
  • An "ID token” is to be understood here in particular as a portable electronic device which has at least one protected electronic data memory for storing attributes and a communication interface for reading out has the attributes.
  • the memory area is protected in order to prevent the attribute stored in the memory area from being altered in an unauthorized manner or read out without the required authorization. In other words, the memory area can only be accessed if an access authorization required for this purpose is given.
  • the ID token can be a USB stick or a document, in particular a value or security document, for example in the form of a chip card.
  • a "document” is understood to mean paper-based and / or plastic-based documents, such as electronic identification documents, in particular passports, identity cards, visas and driving licenses, vehicle registration documents, vehicle documents, company identity cards, health cards or other ID documents as well as chip cards, in particular an access card or signature card, means of payment, in particular banknotes, bank cards and credit cards, waybills or other credentials, in which a data memory for storing at least one attribute is integrated.
  • the ID token can be a hardware token or a soft token if it is cryptographically bound to a hardware token, that is, for example, to a so-called secure element.
  • a cryptographically bound to a secure element soft token according to DE 10 2011 082 101 be generated.
  • An “attribute” is generally understood to mean a data value, for example a number or a text.
  • the attribute can be an indication as to the identity of a user to whom the ID token is associated, in particular with regard to its so-called digital identity.
  • the name, first name, address of the user can represent attributes.
  • an “attribute” is understood in particular as meaning data relating to the user of the ID token or the ID token itself, in particular personalization data, such as personal data of the user, a period of validity or the issuer of the ID token or payment information, such as credit card information or other data for an electronic payment system.
  • An attribute may also include data used to verify the user's eligibility to use a particular online service, such as the age of the user, if they would like to use an online service reserved for a particular age group or otherwise Attribute that documents the affiliation of the user to a particular group that is authorized to use the online service.
  • An "attribute” may also designate a data value that includes an access authorization to an access-restricted security system.
  • the attribute may also indicate a particular group membership, with access to the access restricted backup system dependent on said group membership.
  • a "reader” is understood here as an electronic device which allows read access and also write access to the ID token, in particular a terminal, for example in the form of a so-called chip card terminal.
  • the reading device may form an integral part of a user computer system or be implemented as a separate component, for example as a peripheral device of the user computer system.
  • the reader may be a so-called class 1, 2 or 3 chip card reader.
  • the reader can be equipped with a contactless and / or contact interface for data exchange with an ID token.
  • a “microcontroller” or system-on-a-chip (SoC) is understood here as a semiconductor chip which comprises at least one processor, a communication interface and a memory.
  • a “protected microcontroller” refers to a microcontroller with physically limited accessibility.
  • a protected microcontroller here means a microcontroller with exactly one communication interface for contact-type communication with external elements, the communication interface providing exactly one data input and one data output.
  • a protected microcontroller may have additional measures against abuse, in particular against unauthorized access to data in the memory of the microcontroller.
  • a protected microcontroller includes sensors for monitoring the state of the microcontroller as well as its environment in order to detect deviations from normal operation, which may indicate manipulation attempts.
  • Corresponding sensor types include, for example, a clock frequency sensor, a temperature sensor, a voltage sensor, and / or a light sensor.
  • Clock frequency sensors, temperature sensors and voltage sensors detect, for example, deviations of the clock frequency, temperature and / or voltage up or down from a predefined normal range.
  • a protected microcontroller may include a nonvolatile electronic memory with a protected memory area.
  • a protected microcontroller may include means for cryptographic backup, such as a random number generator, a cryptographic key generator, a hash generator, a encryption / decryption module, a signature module, certificates, and / or one or more non-migratable cryptographic keys, such as a so-called Endorsement Key, Storage Root Key and / or Attestation Identity Keys.
  • means for cryptographic backup such as a random number generator, a cryptographic key generator, a hash generator, a encryption / decryption module, a signature module, certificates, and / or one or more non-migratable cryptographic keys, such as a so-called Endorsement Key, Storage Root Key and / or Attestation Identity Keys.
  • nonvolatile electronic memory is understood here as a memory for storing data, in particular attributes, which is also referred to as non-volatile memory (NVM).
  • NVM non-volatile memory
  • this may be an EEPROM, for example a flash EEPROM, referred to as flash for short.
  • a "protected memory area” is understood here as meaning an area of an electronic memory to which access, that is to say a read access or a write access, is only made possible by a processor coupled to the memory if a condition required for this purpose is fulfilled. This may be, for example, a cryptographic condition, in particular a successful authentication and / or a successful authorization check.
  • the memory may be configured so that access to the protected memory area is possible only via the coupled processor.
  • a "protected memory area" of an ID token is understood to be an electronic memory in which data are stored, such as an attribute and / or a data structure, which are only read, deleted or changed by a reading device from the electronic memory if the reader has authenticated against the ID token and / or has demonstrated its eligibility to read, erase and / or write that data to the ID token, for example by means of an authorization certificate specifying such rights of the reader ,
  • the electronic memory may be an EEPROM, in particular a flash EEPROM.
  • a "processor” is here understood to mean a logic circuit which serves to execute program instructions.
  • the logic circuit may be implemented on one or more discrete components, in particular on a chip.
  • a “communication interface” here means an interface via which data can be received and transmitted, wherein the communication interface can be configured to be contact-based or contactless, for example according to an RFID and / or NFC standard.
  • An "application” is understood here without limitation to any type of computer program which comprises machine-readable instructions for controlling a functionality of the ID token.
  • proxy is meant herein a switching element configured to establish data connections between a receiver and a transmitter of data and to switch to one or more other data connections connecting the same receiver or transmitter to another transmitter or receiver.
  • a “sensor” is understood here as an element for acquiring measured data.
  • Measurement data are data which qualitatively or quantitatively reproduce physical or chemical properties of a measurement object, such as heat quantity, temperature, humidity, pressure, sound field parameters, brightness, acceleration, pH value, ionic strength, electrochemical potential, and / or its material nature. Measurement data are recorded by means of physical or chemical effects and converted into an electronically processed electrical signal.
  • sensors also include elements for detecting information input, such as a keyboard, keypad, mouse, touch screen, and / or gesture capture elements.
  • An "encrypted end-to-end connection” is understood here as meaning a connection between a sender and a receiver with an end-to-end encryption in which data to be transmitted is encrypted by the sender and first decrypted by the receiver.
  • the encryption of transmitted data is thus carried out across all transmission stations, so that intermediate stations can not learn about the content of the transmitted data due to the encryption.
  • the connection is cryptographically secured by the encryption in order to prevent spying and / or manipulation of the transmission, for which purpose a so-called secure messaging method can be used.
  • a method for establishing such an encrypted end-to-end connection between an ID token and a reader is described, for example, in the German patent application 10 2015 202 308.7 described.
  • a “certificate” here means a digital certificate, which is also referred to as a public-key certificate.
  • a certificate is structured data that serves to associate a public key of an asymmetric cryptosystem with an identity, such as a person or device.
  • certificates based on zero-knowledge cryptosystems are also possible.
  • the certificate may conform to the standard X.509 or another standard.
  • the certificate is a Card Verifiable Certificate (CVC).
  • the certificate may specify for which attribute or attributes of the user stored in the protected memory area of the ID token a reader is authorized to perform a read access. Furthermore, the respective write permissions for attribute specifications or attributes in a certificate can also be defined. Such a certificate is also called an authorization certificate. Furthermore, a certificate can specify whether an authentication with the on-chip sensors may be initiated by the terminal.
  • An "Application Protocol Data Unit” is a communication unit of communication between a smart card and an IC card application according to the ISO 7816 standard.
  • An APDU is an application-level communication unit, which corresponds to layer 7 in the OSI layer model. It is possible to differentiate between command APDUs and response APDUs.
  • Command APDUs transmit commands to the smart card, while the response APDUs transmit the chip card responses to appropriate commands.
  • the structures of command APDU and response APDU are defined in ISO 7816-4.
  • a command APDU consists of a header with header data and an optional body with user data, i. Commands.
  • a response APDU consists of an optional body with user data, the response data of the command, and a mandatory trailer.
  • the financial statements provide information about the successful execution of the command or the type of error that prevented or interrupted the processing.
  • the payloads are each encrypted, whereas the header data remains unencrypted to ensure correct assignment and execution of the APDUs.
  • a communication based on a "master" / "slave" ratio between two or more subscribers is understood to be a data exchange in which exactly one subscriber assumes the role of the master and all other subscribers assume the role of slaves.
  • the communication takes place using a question-answer protocol, in which only the master as the sole participant has the authorization to initiate a data transmission of its own, that is to send a corresponding request to one of the slaves, whereas the slaves only with requests Reply without being able to actively intervene in the communication or to initiate such an answer.
  • a “logical channel” is understood to mean a local connection between two data terminal devices or network nodes, whereby a logical channel is realized by channel addresses in the transmitted data packets.
  • Each channel is assigned a "context" that defines a state and / or application of the destination data terminal or destination network node.
  • Embodiments may have the advantage of providing effective protection against misappropriation of the ID token.
  • an ID token according to the invention offers the possibility of checking the presence of additional security attributes by means of the sensor and, on the other hand, it allows the use of a protected microcontroller, which is configured, for example, to be encrypted to communicate with a reading device and at the same time a high degree due to limited accessibility Security offers.
  • the memory of the second microcontroller comprises a protected memory area in which at least one attribute of the ID token is stored.
  • the comparison data are stored in the protected memory area of the memory of the second microcontroller.
  • the ID token comprises a plurality of sensors.
  • Embodiments may have the advantage that the use of a sensor integrated in the ID token prevents manipulation of the sensor, for example for a skimming attack.
  • the proxy configured first microcontroller allows switching between a data connection of the protected second microcontroller to one or more sensors of the ID token and a data connection of the second microcontroller to the reader.
  • the first microcontroller for this purpose has a plurality of communication interfaces which provide a plurality of data inputs and data outputs.
  • the sensor offers the possibility to include additional external security attributes for authentication and / or authorization checks. These security attributes may relate to the identity of the user of the ID token, for example in the case of a fingerprint sensor, or knowledge of the user, such as a PIN keypad for entering a PIN known only to the user, or environmental parameters, such as those provided by a temperature sensor or a GPS receiver.
  • the memory of the protected second microcontroller comprises comparison data for the measurement data to be acquired by the sensors in a permitted predefined application scenario. If the recorded measurement data agree with the comparison data, the assumption is made in the present case of an admissible application scenario.
  • Such an application scenario is, for example, the use of the ID token by a person with a specific identity, by a person with specific knowledge and / or a use of the ID token at a specific location.
  • the ID token or the two applications of the protected second microcontroller can be configured to notify the reading device of the result of the comparison check and / or to transmit requested data only after a successful comparison check, or to execute received commands only after a successful comparison check.
  • the second application is configured to establish a connection with the reader in the form of an encrypted end-to-end connection and to output the data specified by a read command of the reader via the encrypted end-to-end connection via the encrypted end-to-end connection encrypted APDUs are transmitted.
  • Embodiments may have the advantage that the data exchange between reader and ID token, in particular the interrogation of one or more attributes, can be effectively protected against unauthorized access, such as attempts of recording or listening.
  • the configuration of the first microcontroller as a proxy allows a query of measurement data of the sensor by switching the data connections despite the encryption of the data transmitted over the encrypted end-to-end connection.
  • Embodiments may have the advantage that when querying a particular application, such as the first application, measurement data from the first microcontroller are requested as a precaution so that they are available to the protected second microcontroller in case of need and the requested application can fall back on this despite limited Access to the second microcontroller and a non-visible from the outside encrypted austauch with the requesting reader. This applies even in the case of operation of the second microcontroller as a slave to a master operated as the first microcontroller.
  • the first request of the connection establishment reader is a request to establish an encrypted end-to-end connection.
  • Embodiments may have the advantage that measurement data are requested as a precautionary measure only if there are indications that they are actually involved in the communication about the encrypted end-to-end connection to be established.
  • the unencrypted message is a certificate which entitles the reader to check the measurement data acquired by the sensor by means of the first application.
  • Embodiments may have the advantage that measurement data are only requested as a precaution when a requesting reader also has the authorization to access these measurement data. If this is not the case, it is not necessary to provide the measured data, whether requested or not.
  • the first microcontroller is configured to receive, cache, and forward all messages sent from the reader to the second application in the course of establishing the encrypted end-to-end connection, all messages cached again being forwarded upon forwarding of the measurement data the second application will be forwarded.
  • Embodiments may have the advantage that, if the connection setup is interrupted, it can be efficiently resumed even if the build status achieved so far has been lost due to the interruption.
  • Embodiments may have the advantage that the measurement data is only requested if it is actually queried.
  • the use of two logical channels ensures that the established encrypted end-to-end connection is not interrupted, but can persist when switching to another channel, without hindering the transmission of the measured data.
  • the analysis of the header data allows encryption to be maintained, thereby increasing security but still allowing the first microcontroller to detect a query of sensor measurement data.
  • the data transmission over the first logical channel is interrupted during transmission of the measurement data on the second logical channel and continues after completion of the measurement data transmission, but the first logical channel remains during the interruption. The switching is controlled by the first microcontroller, which acts as a master, for example, while the protected second microcontroller assumes the role of a slave.
  • the at least one microcontroller communication interface of the protected second microcontroller is a contact-type communication interface.
  • Embodiments may have the advantage that monitoring and / or recording of transmitted data is made more difficult and security is thus increased.
  • the protected second microcontroller comprises exactly one microcontroller communication interface.
  • Embodiments may have the advantage of effectively minimizing the physical accessibility of the protected second microcontroller and thus increasing security.
  • the first microcontroller is configured to exchange data contactlessly with a reader via the communication interface of the ID token.
  • Embodiments may have the advantage of simplifying the use of the ID token and not having to first contact the reader.
  • the checking process of the ID token can be accelerated since the bringing into contact is omitted.
  • this allows the ID token to be held without restrictions in such a way that one of the sensors is optimally aligned to acquire the measured data.
  • the ID token may be held so that a fingerprint sensor of the ID token is easily accessible to the user with his fingers.
  • the positioning possibilities of the ID token are limited by the required contact.
  • the first microcontroller is configured to exchange data via the communication interface of the ID token in contact with a reader.
  • Embodiments may have the advantage that monitoring and / or recording of transmitted data is made more difficult and security is thus increased.
  • the second application comprises the first application.
  • Embodiments may have the advantage that the functionality of the first and second applications on the protected second microcontroller are combined or integrated in a common application.
  • the second application natively includes the functionality of the first application or vice versa, whereby no separate implementation of this functionality is necessary in a separate, independent application.
  • the first and second applications are separate, stand-alone applications.
  • Embodiments may have the advantage that all applications that want to request further features make these requests to a central application, i. the first application, forward and thus only this one central application takes over the management and review.
  • the measurement data is one or more biometric features, a PIN, acceleration data, GPS coordinates, and / or temperature data.
  • Embodiments may have the advantage that biometric features, such as fingerprints or a frequency pattern of the voice, may be used to verify the identity of the actual user of the ID token.
  • a PIN verifies that the user has the necessary knowledge for the legitimate use of the ID token.
  • acceleration data may be used to identify the user based on motion patterns.
  • the location of the ID token can be determined via the GPS coordinates.
  • the temperature can be used to check environmental conditions, for example, to determine the actual location of the use of the ID token.
  • a fingerprint sensor to test whether a finger is actually placed on the sensor when acquiring the measurement data.
  • the ID token has a plurality of different sensors for detecting a plurality of different measurement data, with which the first microcontroller is connected for data exchange, wherein the first application is configured, the measurement data of each sensor with comparison data, which in a memory of the second Microcontrollers are stored, compare and forward the comparison results to the second application.
  • Embodiments may have the advantage that a complex usage scenario may be defined in which use of the ID token is allowed.
  • a complex usage scenario for confirmation of an identity and / or authorization by means of the ID token, in the case of such a complex usage scenario, for example, a plurality of different measurement data acquired by means of different sensors must be correct, i. match predefined comparison data.
  • graded security levels can be defined. For easy access to a building and / or computer system, knowledge of a PIN may be sufficient, for a legally binding digital signature this knowledge may be necessary in conjunction with confirmation of the identity of the user about one or more biometric features.
  • the first microcontroller is configured as master and the protected second microcontroller as slave.
  • Embodiments may have the advantage that they increase security, since the safety-sensitive second microcontroller can not actively intervene in the communication. Therefore, the second microcontroller can not be manipulated to transmit inadmissible data by itself.
  • the second microcontroller is physically protected by one or more of the following: a clock frequency sensor, a temperature sensor, a voltage sensor, and / or a light sensor.
  • Embodiments may have the advantage that these sensors provide an effective way to monitor the state of the second microcontroller as well as its environment and thus allow early detection of physical manipulation attempts.
  • the second microcontroller is cryptographically protected by one or more of the following: a random number generator, a cryptographic key generator, a hash generator, a encryption / decryption module, a signature module, one or more certificates, and / or one or more non-migratable cryptographic Key.
  • Embodiments may have the advantage that both the data storage and the data transfer by means of the second microcontroller satisfy high cryptographic security requirements.
  • the microcontroller communication interface of the protected second microcontroller is hardwired to the first microcontroller.
  • Embodiments may have the advantage that an expansion of the protected second microcontroller from the ID token for manipulation purposes is made more difficult.
  • the wiring may be configured such that a nondestructive expansion in which the microcontroller communication interface remains functional is prevented.
  • the protected second microcontroller is configured as a replaceable module and the receptacle of the ID token as a plug-in connection for the module, wherein the microcontroller communication interface of the protected second microcontroller is releasably contacted to the first microcontroller.
  • Embodiments may have the advantage that the ID token may be used as a platform for use with various protected second microcontrollers. In particular, this increases the compatibility with developments of the protected microcontroller and also allows a standardized mass production.
  • the ID token has an output device to which the first microcontroller is connected for data exchange.
  • Embodiments may have the advantage of facilitating operation of the ID token and providing instructions for using the sensors as well as information about the usage state of the ID token. This is particularly advantageous in a plurality of sensors.
  • Corresponding output device may be, for example, a display or LEDs.
  • the sensor can also be integrated in an output device, such as in a pressure-sensitive display.
  • the invention relates to a system comprising an ID token according to one of the preceding claims and a reading device with a communication interface for data exchange with the communication interface of the ID token, wherein the reading device is configured to connect to the second application of the set up protected second microcontroller and send via the established connection APDUs to the second application and / or receive from the second application.
  • Embodiments may have the advantage of providing a system for efficiently and securely checking access authorization, securely processing payment transactions, and / or securely digitally signing electronic documents.
  • the reader is for example part of a device for access control, a terminal and / or a user computer system.
  • Embodiments may have the advantage of providing a method for verifying measurement data of the sensor of an ID token, which at the same time provides effective protection against misappropriation of the ID token.
  • connection established between the reader and the second application is an encrypted end-to-end connection
  • encrypted APDUs being in the form of encrypted command APDUs and encrypted reply via the encrypted end-to-end connection APDUs are exchanged.
  • Embodiments may have the advantage of providing data transmission protected against eavesdropping and / or snooping attempts.
  • unencrypted messages are exchanged between the reader and the second application via the communication interface of the ID token.
  • the request for setting up the connection between the reader and the second application of the protected second microcontroller is buffered by the first microcontroller, wherein the provision of the comparison result for the acquired measurement data is based on the reception of the request and the cached request for the forwarding of detected Measurement data is forwarded by the first microcontroller towards the second application.
  • Embodiments may have the advantage that measurement data are provided as a precaution, so that the protected second microcontroller can have or access it as needed.
  • unencrypted messages for establishing the connection received by the first microcontroller are received by the first microcontroller, wherein the first microcontroller analyzes the cached unencrypted messages, interrupts the forwarding of the corresponding message upon detecting a reference to measurement data acquired by the sensor in an unencrypted message and the provision of the comparison result for the acquired measurement data caused, already forwarded cached messages on the forwarding of the acquired measurement data through the first microcontroller back to the second application are forwarded again and the interrupted forwarding is continued.
  • Embodiments may have the advantage that measurement data are provided as a precautionary measure only when it is foreseeable that with a certain probability they will actually be required.
  • the analyzed message is a certificate of the reader and the measurement data is only provided if the reader also has the necessary authorization to access this measurement data.
  • sending and receiving encrypted APDUs by the protected second microcontroller on a first logical channel wherein the first microcontroller analyzes the unencrypted header data of received command APDUs, is responsive to detecting a reference to measurement data acquired by the sensor in the unencrypted header data of an encrypted one Command APDU down the forwarding of the corresponding command APDU interrupts and providing the comparison result for the acquired measurement data caused, wherein the detected measurement data are forwarded to the first application on a second logical channel, wherein on the forwarding of the acquired measurement data by the first microcontroller via the second logical channel, the interrupted forwarding on the first logical channel is continued.
  • Embodiments may have the advantage of providing measurement data only when needed. However, an efficient provision is made possible despite the encryption of the APDUs and the limited access to the protected second microcontroller.
  • each of the logical channels is assigned a context of the protected second microcontroller, and the second microcontroller is configured to switch between the individual contexts, depending on which logical channel the communication with the first microcontroller takes place.
  • Embodiments of the invention could have the advantage that the encrypted end-to-end connection between the reader and the second application can be maintained while interrogating, transmitting and comparing the measurement data.
  • FIG. 12 shows a schematic block diagram of an exemplary inventive ID token 10 in combination with a reader 20, which together form a system 100 according to the invention.
  • the ID token 10 includes first and second microcontrollers 40, 50.
  • the first microcontroller 40 is configured to communicate by means of an antenna module 30, which includes an antenna, in contactless communication with the reader 20, ie, to exchange data.
  • the reader 20 is provided with an antenna 22.
  • the first microcontroller 40 includes a processor 42 and a memory 44.
  • the memory 44 includes machine-readable instructions that, when executed by the processor 42, cause the first microcontroller 40 to communicate the protected second microcontroller 50 with the reader 20 and the sensors 70, 72 and the output devices 80, 82 to control.
  • the ID token 10 includes the aforementioned sensors 70, 72, which are, for example, a fingerprint sensor 70 and a PIN keypad 72.
  • Embodiments may also be other known types of sensors, such as a microphone, a gyroscope, an acceleration sensor, a GPS receiver, and / or a thermometer. According to embodiments, however, these sensors may also be provided in addition to the two sensors 70, 72.
  • the ID token 10 includes output devices, such as a display 80 and LEDs 82.
  • the display 80 may be driven by the first microcontroller 40 to prompt the user of the ID token 10 to place one or more fingers on the device Fingerprint sensor 70 or enter a PIN via the PIN keypad 72.
  • the LEDs 82 may signal to the user that the sensors 70 and / or 72 are ready for use and / or that a fingerprint has been completely detected or a PIN has been completely entered and / or that an error has occurred. This may be indicated, for example, by different colors in which the LEDs 82 are lit. According to embodiments, the ID token 10, and in particular the LEDs 82, may also be configured to indicate when the result of the data comparison performed by the first application 56 of the protected second microcontroller 50 is positive.
  • the ID token 10 includes a receptacle 60 for a second microcontroller, in which a protected second microcontroller 50 is arranged.
  • the second microcontroller 50 is protected on the one hand by having only a single contact microcontroller communication interface 59 for communicating or exchanging data with external elements, ie the first microcontroller 40, wherein the microcontroller communication interface 59 has exactly one data input and one data output.
  • the second microcontroller 50 may be protected physically and cryptographically.
  • the microcontroller 50 according to embodiments comprises a clock frequency sensor, a temperature sensor, a voltage sensor, and / or a light sensor.
  • the microcontroller 50 for cryptographic protection comprises, for example, a random number generator, a cryptographic key generator, a hash generator, a encryption / decryption module, a signature module, one or more certificates and / or one or more non-migratable cryptographic keys.
  • the protected second microcontroller 50 comprises a processor 52 and a memory 54 with a first and a second application 56, 58.
  • the memory 54 comprises the comparison data (not shown) for the measurement data of the sensors 70, 72.
  • the comparison data may for example be fingerprints or characteristic feature specifications of fingerprints of one or more users associated with the ID token 10.
  • the comparison values may include one or more PINs.
  • the PINs may be stored as ciphers on the memory 54 according to embodiments be so that it is necessary either to encipher the recorded measurement data for comparison with the ciphers or to decipher the stored ciphers.
  • the memory 54 may be a protected memory according to embodiments.
  • the memory 54 can be accessed, for example, only if an access authorization required for this purpose is given.
  • the memory 54 can be accessed only via the processor 52.
  • the first application 56 includes machine-readable instructions that cause the second microcontroller 50, when executed by the processor 52, to cause the acquired measurement data of the sensors 70, 72 to be forwarded to the first application 56 by the first microcontroller 40 to compare stored in the memory 54 comparison values.
  • the comparison results are transmitted from the first application 56 via an inter-applet communication (IAC) to the second application 58.
  • the first application 56 may also be integrated in the second application 58.
  • the second application 58 is configured to establish an encrypted end-to-end connection with the reader 20. Encrypted APDUs are exchanged between the reader 20 and the second application 58 via the encrypted end-to-end connection.
  • the reader 20 sends, for example, command APDUs to the second application 58, to which this responds in each case with a corresponding response APDU.
  • the ID token 10 may include a power source (not shown) configured to power at least the sensors 70, 72 and the display devices 80, 82.
  • the energy source may be, for example, a battery or an apparatus for "energy harvesting".
  • piezoelectric crystals, thermoelectric generators or the like can be used.
  • the reader 20 includes a cryptographic circuit 24, which is configured to communicate with the first microcontroller 40 of the ID token via an antenna 22 10 contactless to communicate.
  • the reader 20 may be a RIFD reader.
  • the communication between the reader 20 and the ID token 10 according to the standard ISO 14443 can be done wirelessly with a frequency of 13.56 MHz.
  • the reader 20 may be part of an access control system, for example, where a user must switch an access control device to a release state by means of the ID token 10 in order to gain access.
  • an attribute is stored in the protected memory 54 of the protected second microcontroller 50, which is to be read by the reading device 20 and compared with a comparison attribute. Only if the attribute read out from the protected memory area 54 matches and the comparison attribute of the reader 20 is the access control device switched to a release state.
  • an identification of the user by means of a biometric feature such as a fingerprint and / or the knowledge of a PIN is required as an entry requirement.
  • the user has to record his fingerprint via the fingerprint sensor 70 and / or enter a PIN via the PIN keypad 72.
  • the measured data acquired by the sensors 70, 72 are forwarded via the first microcontroller 40 to the first application 56 of the protected second microcontroller 50.
  • the first application 56 is executed by the processor 52 and compares the acquired measurement data with the comparison data stored in the protected memory 54.
  • the comparison result is transmitted to the second application 58 by the first application 56 through an inter-applet communication and forwarded to the reader 20 via the encrypted end-to-end connection. Only with a positive comparison result, the access control device is switched to a release state.
  • the comparison result is not communicated to the reader 20, but the second application 58 is configured such that the attribute requested by the reader 20 is transmitted to the reader 20 only on condition that the comparison result is positive.
  • FIG. 12 shows a flow chart for a first exemplary method for operating the ID token 10 according to the invention FIG. 1 ,
  • the first microcontroller 40 receives, by means of the antenna module 30, a first request directed at the second application 58 of the protected second microcontroller 50 for setting up an encrypted end-to-end connection.
  • the received request is buffered by the first microcontroller 40 and their forwarding is interrupted.
  • the first microcontroller 40 sends in block 202 a second request for acquiring measurement data to the fingerprint sensor 70 and / or the PIN keypad 72.
  • the user is prompted via the display 80, for example, a finger on the fingerprint sensor 70 to arrange and / or enter a PIN via the PIN keypad 72.
  • the corresponding measurement data are detected by the sensors 70, 72 and transmitted in block 204 to the first microcontroller 40, which forwards them to the first application 56 via the one microcontroller communication interface 59.
  • the first application 56 compares the acquired measurement data with the comparison data stored in the memory 54.
  • the comparison result is transmitted in block 208 from the first application 56 to the second application 58 of the protected second microcontroller 50, for example by means of an inter-applet communication, and made available in this way.
  • the transfer may occur immediately after completion of the comparison, or the first application 56 may cache the comparison results and send the second application 58 as needed, e.g. upon request.
  • the acquisition, routing and processing of measurement data is thus always performed when the reader 20 attempts to read the protected second microcontroller 50, i. initiated a connection with the second application 58. This is the case regardless of whether or which of the acquired measurement data is actually needed later in the course of the communication between the reader 20 and the second application 58.
  • the first request for establishing the encrypted end-to-end connection is made from the first microcontroller 40 to the second application 58 notedverstruct.
  • the first microcontroller 40 is configured as a proxy that switches between the forwarding of the first request and the forwarding of measurement data and thus the data stream from different physically separate data sources, ie the reader 20 and the sensors 70, 72, to the protected second microcontroller 50 controls.
  • the encrypted end-to-end connection is established, for example, by the exchange of certificates and / or cryptographic keys between the reader 20 and the second application 58.
  • the connection is established, for example, according to the German patent application 10 2015 202 308.7 described protocol.
  • encrypted APDUs are sent between the reader 20 and the second application 58 via these encrypted APDUs.
  • an encrypted command APDU is sent from the reader 20 to the second application 58, which is received and forwarded on its transmission path by the first microcontroller 40.
  • This encrypted command APDU may query the result of the comparison for the detected sensor data and / or query an attribute which is output only on a positive comparison result.
  • a response APDU generated by the second application 58 in response to the command APDU using the comparison results including, for example, the comparison results and / or a queried attribute, is received on its transmission path from the first microcontroller 40 and to the reader 20 forwarded.
  • FIG. 3 shows a flowchart for a second exemplary method for operating the ID token 10 according to the invention FIG. 1 ,
  • the encrypted end-to-end connection is established, for example, by the exchange of certificates and / or cryptographic keys between the reader 20 and the second application 58.
  • the messages sent by the reader 20 to the second application 58 and their responses become
  • the first microcontroller 40 which receives and forwards them, caches and analyzes them. For example, after certain predefined key terms or functionalities related to the measurement data of the sensors 70, 72.
  • a certificate from the reader 20 is received by the first microcontroller 40.
  • the content of this certificate is analyzed and if it relates to the measurement data of the sensors 70, 72, this reference is detected in block 304.
  • Such a reference may, for example, be an authorization to access the corresponding measurement data.
  • connection setup continues by forwarding the analyzed message, otherwise the forwarding is temporarily suspended and connection establishment is thus interrupted in block 306. Even if the connection setup continues, the analyzed messages of embodiments remain cached on the first microcontroller 40 until completion of the connection setup.
  • the analyzed message is, for example, a certificate of the reader 20.
  • the collection, forwarding, processing and provision of the measurement data to which the analyzed certificate refers are carried out.
  • the blocks 308 to 314, which relate to the detection, forwarding, processing and provision of the measurement data of the sensors 70, 72, are analogous to the blocks 202 to 208 of the method according to FIG FIG. 2 .
  • the one communication interface 59 of the second microcontroller 50 is used for transmitting the measurement data while the transmission of messages for establishing the encrypted end-to-end connection is suspended.
  • measurement data of the fingerprint sensor 70 and / or the PIN keypad 72 is detected.
  • the suspended connection setup Upon passing the acquired measurement data through the first microcontroller 40 in block 310, the suspended connection setup continues in block 316. For this purpose, it is necessary according to embodiments to redirect the data forwarded to date by the first microcontroller 40 and still stored thereon. In particular, the interruption of the parsed certificate interrupted in block 306 is continued.
  • encrypted APDUs are exchanged between the reader 20 and the second application 58. This includes, for example, receiving and sending command and response APDUs analogous to blocks 214 and 216 of FIG FIG. 2 ,
  • FIG. 4 shows a flowchart for a third exemplary method for operating the ID token 10 according to the invention FIG. 1 ,
  • an encrypted end-to-end connection is established between the reader 20 and the second application 58.
  • the transmission of encrypted APDUs to the protected second microcontroller 50 takes place via its contact-based microcontroller communication interface 59 on a first logical channel.
  • the first logical channel is assigned a first context of the protected second microcontroller 50.
  • an encrypted command APDU sent by the reader 20 is received by the first microcontroller 40.
  • the first microcontroller 40 does not have access to the encrypted user data of the command APDU, but to its unencrypted header data. These header data are analyzed, for example, with a predefined search mask.
  • a reference to measurement data of the sensors 70, 72 is detected, for example an access to the corresponding measurement data.
  • communication is paused over the first logical channel.
  • the analyzed and on the first microcontroller 40 cached command APDU is not forwarded for the time being.
  • the first microcontroller 40 switches over and establishes a connection between the fingerprint sensor 70 and / or the PIN keypad 72 on the one hand and the first application 56 of the protected second microcontroller 50 on the other hand by requesting measurement data and on a second logical channel to the protected second Microcontroller 50 transmits.
  • the second logical channel is assigned a second context of the protected second microcontroller 50.
  • the protected second microcontroller 50 is configured to be configured between different contexts depending on which logical channel is being communicated switch.
  • the first microcontroller 40 acts as a master, the protected second microcontroller 50 as a slave.
  • the blocks 408 to 414 which relate to the detection, forwarding, processing and provision of the measurement data of the sensors 70, 72, are analogous to the blocks 202 to 208 of the method according to FIG FIG. 2 ,
  • the first microcontroller 40 Upon forwarding the acquired measurement data via the second logical channel in block 410, the first microcontroller 40 changes back to the paused first logical channel in block 416 and continues the encrypted communication by forwarding the cached command APDU to the second application 58 .
  • the second application 58 On the command APDU, the second application 58 responds, for example, with a response APDU analogous to block 216 of FIG. 2 which is received by the first microcontroller 40 and forwarded to the reader 20 via the antenna 30.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Arrangements For Transmission Of Measured Signals (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Claims (15)

  1. Jeton d'ID (10) doté d'un capteur (10, 72), d'une interface de communication (30) et d'un premier microcontrôleur (40), où le jeton d'ID (10) comprend un deuxième microcontrôleur (50) protégé avec au moins une interface de communication de microcontrôleur (59), laquelle est disposée dans un logement (60) du jeton d'ID (10), l'interface de communication de microcontrôleur (59) fournissant une entrée de données et une sortie de données,
    • où le capteur (70, 72) est configuré pour détecter des données de mesure,
    • où le premier microcontrôleur (40) est relié avec l'interface de communication de microcontrôleur (59) du deuxième microcontrôleur (50) protégé, avec le capteur (70, 72) et avec l'interface de communication (30) du jeton d'ID (10) pour l'échange de données, et où le premier microcontrôleur (40) est configuré pour échanger des données avec un lecteur (20) par le biais de l'interface de communication (30) du jeton d'ID (10),
    • où le deuxième microcontrôleur (50) protégé comprend une première et une deuxième application (56, 58),
    • où la première application (56) est configurée pour comparer les données de mesure du capteur (70, 72) avec des données de comparaison, lesquelles sont stockées dans une mémoire (54) du deuxième microcontrôleur (50), et pour transmettre ultérieurement le résultat de la comparaison à la deuxième application (58),
    • où la deuxième application (58) est configurée pour établir une connexion avec le lecteur (20) et pour délivrer des données spécifiques par une commande de lecture du lecteur (20),
    • où le premier microcontrôleur (40) est configuré en tant que proxy entre la détection de données de mesure par le capteur (70, 72) et une transmission ultérieure des données de mesure détectées par le capteur (70, 72) à la première application (56) du deuxième microcontrôleur (50) protégé par le biais de son interface de communication de microcontrôleur (59) d'une part, et d'autre part pour commuter une transmission ultérieure de messages pour l'établissement d'une connexion entre la deuxième application (58) et le lecteur (20) et/ou une transmission ultérieure d'ADPU par le biais de la connexion entre la deuxième application (58) et le lecteur (20),
    dans lequel la deuxième application(58) est configurée pour établir une connexion avec le lecteur (20) sous forme d'une connexion chiffrée de bout en bout et pour délivrer les données spécifiées par une commande de lecture du lecteur (20) par le biais d'une connexion chiffrée de bout en bout, où des ADPU chiffrés sont transmis par le biais de la connexion chiffrée de bout en bout,
    dans lequel le deuxième microcontrôleur (50) protégé est configuré pour fournir une multiplicité de canaux logiques pour l'échange de données par le biais de l'interface de communication du microcontrôleur (59), où la communication a lieu par le biais de la connexion chiffrée de bout en bout sur un premier canal logique du deuxième microcontrôleur (50) et où le premier microcontrôleur (40) est configuré pour :
    • recevoir un APDU chiffré avec des données de tête non chiffrées et des données utiles chiffrées envoyé par le lecteur (20) à la deuxième application (58) par le biais de la connexion chiffrée de bout en bout, l'ajouter au stockage et analyser les données d'entête,
    • dans le cas où les données d'en-tête comprennent une référence pour les données de mesure détectées par le détecteur (70, 72), envoyer une demande de détection des données de mesure au capteur (70, 72),
    • suite à la demande, recevoir les données de mesure détectées du capteur (70, 72) et les transmettre ultérieurement sur un deuxième canal logique du deuxième microcontrôleur (50) à la première application (56),
    • transmettre ultérieurement l'APDU chiffré ajouté au stockage à la deuxième application (58) sur le premier canal logique.
  2. Jeton d'ID (10) selon la revendication 1, dans lequel l'au moins une interface de communication de microcontrôleur (59) du deuxième microcontrôleur (50) protégé est une interface de communication (59) avec contact.
  3. Jeton d'ID (10) selon l'une des revendications précédentes, dans lequel le deuxième microcontrôleur (50) protégé comprend précisément une interface de communication de microcontrôleur (59).
  4. Jeton d'ID (10) selon l'une des revendications précédentes, dans lequel le premier microcontrôleur (40) est configuré pour échanger sans contact des données avec un lecteur (20) par le biais de l'interface de communication (30) du jeton d'ID (10), ou
    dans lequel le premier microcontrôleur (40) est configuré pour échanger avec contact des données avec un lecteur (20) par le biais de l'interface de communication (30) du jeton d'ID (10).
  5. Jeton d'ID (10) selon l'une des revendications précédentes, dans lequel la deuxième application comprend la première application.
  6. Jeton d'ID (10) selon l'une des revendications précédentes, dans lequel, dans le cas des données de mesure, il s'agit d'une ou de plusieurs caractéristiques biométriques, d'un code PIN, de données d'accélération, de coordonnées GPS et/ou de données de température.
  7. Jeton d'ID (10) selon l'une des revendications précédentes, où le jeton d'ID présente une multiplicité de capteurs différents pour la détection d'une multiplicité de données de mesure différentes avec lesquelles le premier microcontrôleur (40) est relié pour l'échange de données, où la première application (56) est configurée pour comparer les données de mesure de chaque capteur (70, 72) avec des données de comparaison, lesquelles sont stockées dans une mémoire (54) du deuxième microcontrôleur (50), et pour transmettre ultérieurement les résultats de comparaison à la deuxième application (58).
  8. Jeton d'ID (10) selon l'une des revendications précédentes, dans lequel le premier microcontrôleur (40) est configuré en tant que maître et le deuxième microcontrôleur (50) protégé en tant qu'esclave.
  9. Jeton d'ID (10) selon l'une des revendications précédentes, dans lequel le deuxième microcontrôleur (50) est protégé physiquement par un ou plusieurs des éléments suivants : un capteur de fréquence d'horloge, un capteur de température, un capteur de tension et/ou un capteur de lumière.
  10. Jeton d'ID (10) selon l'une des revendications précédentes, dans lequel le deuxième microcontrôleur (50) est protégé par cryptographie par un ou plusieurs des éléments suivants ; un générateur de nombres aléatoires, un générateur pour clés cryptographiques, un générateur de hachage, un module de chiffrement/de déchiffrement, un module de signature, un ou plusieurs certificats et/ou une ou plusieurs clés cryptographiques ne pouvant pas migrer.
  11. Jeton d'ID (10) selon l'une des revendications précédentes, dans lequel l'interface de communication de microcontrôleur (59) du deuxième microcontrôleur (50) protégé est câblée de manière fixe avec le premier microcontrôleur (40), ou
    dans lequel le deuxième microcontrôleur (50) protégé est configuré en tant que module échangeable et le logement (60) du jeton d'ID (10) est configuré en tant que connexion pour le module, où l'interface de communication de microcontrôleur (59) du deuxième microcontrôleur (50) protégé est en contact de manière amovible avec le premier microcontrôleur (40).
  12. Jeton d'ID (10) selon l'une des revendications précédentes, où le jeton d'ID (10) présente un dispositif de délivrance (80, 82) avec lequel le premier microcontrôleur (40) est connecté pour l'échange de données.
  13. Système (100), lequel comprend un jeton d'ID (10) selon l'une des revendications précédentes et un lecteur (20) doté d'une interface de communication (22) pour l'échange de données avec l'interface de communication (30) du jeton d'ID (10), où le lecteur (20) est configuré pour établir une connexion avec la deuxième application (58) du deuxième microcontrôleur (50) protégé et envoyer des APDU à la deuxième application (58) par le biais de la connexion établie et/ou pour les recevoir de la deuxième application (58).
  14. Procédé de vérification de données de mesure du capteur (70, 72) d'un jeton d'ID (10) selon l'une des revendications 1 à 12 au moyen du deuxième microcontrôleur (50) protégé, le procédé comprenant :
    ∘ la transmission d'une demande d'établissement d'une connexion entre le lecteur (20) et la deuxième application (58) du deuxième microcontrôleur (50) protégé :
    • la réception de la demande par le premier microcontrôleur (40) par le biais de l'interface de communication (30) du jeton d'ID (10),
    • la transmission ultérieure de la demande par le premier microcontrôleur (40) à la deuxième application (58) du deuxième microcontrôleur (50) protégé par le biais de l'interface de communication de microcontrôleur (59) du deuxième microcontrôleur (50) protégé,
    ∘ l'établissement de la connexion entre le lecteur (20) et la deuxième application (58) :
    • l'échange de messages pour l'établissement de la connexion entre le lecteur (20) et la deuxième application (58) par le biais de l'interface de communication (30) du jeton d'ID (10), le premier microcontrôleur (40) et l'interface de communication de microcontrôleur (59) du deuxième microcontrôleur (50) protégé,
    ∘ l'échange d'APDU par le biais de la connexion entre le lecteur (20) et la deuxième application (58) :
    • la réception d'un APDU de commande par le premier microcontrôleur (40) par le biais de l'interface de communication (30) du jeton d'ID (10), l'APDU de commande interrogeant le résultat de comparaison de la comparaison effectuée par la première application (56) pour des données de mesure détectées par le capteur (70, 72) avec des données de comparaison,
    • la transmission ultérieure des APDU de commande par le premier microcontrôleur (40) à la deuxième application (58) par le biais de l'interface de communication de microcontrôleur (59) du deuxième microcontrôleur (50) protégé,
    • l'établissement d'un APDU de réponse suite à l'APDU de commande reçu par la deuxième application (58), moyennant l'emploi du résultat de comparaison reçu par la première application (56),
    • la réception de l'APDU de réponse par le premier microcontrôleur (40),
    • la transmission ultérieure de l'APDU de réponse par le premier microcontrôleur (40) au lecteur (20) par le biais de l'interface de communication (30) du jeton d'ID (10)
    ∘ la mise à disposition des résultats de comparaison pour les données de mesure détectées :
    • l'envoi d'une demande d'enregistrement des données de mesure au niveau du capteur (70, 72) par le premier microcontrôleur (40),
    • l'enregistrement des données de mesure par le capteur (70, 72),
    • la réception des données de mesure enregistrées par le premier microcontrôleur (40),
    • la transmission ultérieure des données de mesure détectées par le premier microcontrôleur (40) à la première application (56) par le biais de l'interface de communication de microcontrôleur (59) du deuxième microcontrôleur (50) protégé,
    • la réception des données de mesure détectées par la première application (56) et la comparaison avec les données de comparaison stockées,
    • la transmission ultérieure du résultat de comparaison à la deuxième application (58),
    dans lequel la connexion, laquelle est établie entre le lecteur (20) et la deuxième application (58), est une connexion chiffrée de bout en bout, où des ADPU chiffrés par le biais de la connexion chiffrée de bout en bout sous forme d'APDU de commande chiffrés et d'ADPU de réponse chiffrés sont échangés,
    dans lequel l'envoi et la réception d'ADPU chiffrés ont lieu par le deuxième microcontrôleur (50) protégé sur un premier canal logique, où le premier microcontrôleur (40) analyse les données d'en-tête non chiffrées d'APDU de commande reçus, interrompt la transmission des APDU de commande correspondants suite à un enregistrement d"une référence aux données de mesure détectées par le capteur dans les données d'en-tête non chiffrées d'un APDU de commande chiffré et amène la mise à disposition du résultat de comparaison pour les données de mesure détectées, où les données de mesure détectés sont transmises ultérieurement sur un deuxième canal logique à la première application (56), où la transmission interrompue est poursuivie sur le premier canal logique suite à la transmission ultérieure des données de mesure par le premier microcontrôleur (40) par le biais du deuxième canal logique.
  15. Procédé de vérification de données de mesure du capteur d'un jeton d'ID (10) selon la revendication 14, dans lequel un contexte du deuxième microcontrôleur (50) protégé est associé à chacun des canaux logiques et le deuxième microcontrôleur (50) est configuré pour commuter entre les contextes individuels en fonction du canal logique par lequel la communication a lieu avec le premier microcontrôleur (40).
EP16819835.6A 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé Active EP3391278B1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP18182580.3A EP3428830B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP18182581.1A EP3422243B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102015225275.2A DE102015225275A1 (de) 2015-12-15 2015-12-15 ID-Token mit geschütztem Mikrocontroller
PCT/EP2016/080750 WO2017102699A1 (fr) 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé

Related Child Applications (4)

Application Number Title Priority Date Filing Date
EP18182580.3A Division EP3428830B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP18182580.3A Division-Into EP3428830B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP18182581.1A Division EP3422243B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP18182581.1A Division-Into EP3422243B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé

Publications (2)

Publication Number Publication Date
EP3391278A1 EP3391278A1 (fr) 2018-10-24
EP3391278B1 true EP3391278B1 (fr) 2019-11-27

Family

ID=57681553

Family Applications (3)

Application Number Title Priority Date Filing Date
EP18182580.3A Active EP3428830B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP18182581.1A Active EP3422243B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP16819835.6A Active EP3391278B1 (fr) 2015-12-15 2016-12-13 Jeton d'identification à microcontrôleur protégé

Family Applications Before (2)

Application Number Title Priority Date Filing Date
EP18182580.3A Active EP3428830B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé
EP18182581.1A Active EP3422243B1 (fr) 2015-12-15 2016-12-13 Token d'identification au microcontrôleur securisé

Country Status (4)

Country Link
US (1) US10956618B2 (fr)
EP (3) EP3428830B1 (fr)
DE (1) DE102015225275A1 (fr)
WO (1) WO2017102699A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2547954B (en) * 2016-03-03 2021-12-22 Zwipe As Attack resistant biometric authorised device
AT519490B1 (de) 2016-12-30 2020-01-15 Avl List Gmbh Kommunikation eines Netzwerkknotens in einem Datennetz
DE102018202357A1 (de) * 2018-02-15 2019-08-22 Bundesdruckerei Gmbh Verfahren zum Verarbeiten eines kryptographischen Schlüssels und Prozessorchipkarte
SG11202012477PA (en) 2018-06-29 2021-01-28 Visa Int Service Ass Chip card socket communication
US20230061037A1 (en) * 2021-09-01 2023-03-02 Micron Technology, Inc. Apparatus with power-based data protection mechanism and methods for operating the same

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE602004025452D1 (de) * 2003-02-25 2010-03-25 Dainippon Printing Co Ltd Sim-karten lese- und schreibgerät
US7762470B2 (en) * 2003-11-17 2010-07-27 Dpd Patent Trust Ltd. RFID token with multiple interface controller
DE102011082101B4 (de) 2011-09-02 2018-02-22 Bundesdruckerei Gmbh Verfahren zur Erzeugung eines Soft-Tokens, Computerprogrammprodukt und Dienst-Computersystem
EP2575084A1 (fr) * 2011-09-30 2013-04-03 Nxp B.V. Jeton de sécurité et système d'authentification
US9058498B2 (en) * 2012-07-12 2015-06-16 Oracle International Corporation Runtime environment management of secure communications on card computing devices
DE102015202308A1 (de) 2015-02-10 2016-08-11 Bundesdruckerei Gmbh Computerimplementiertes Verfahren zur Zugriffskontrolle
US20160267486A1 (en) * 2015-03-13 2016-09-15 Radiius Corp Smartcard Payment System and Method
US11157901B2 (en) * 2016-07-18 2021-10-26 Dream Payments Corp. Systems and methods for initialization and activation of secure elements

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
EP3428830A1 (fr) 2019-01-16
DE102015225275A1 (de) 2017-06-22
US10956618B2 (en) 2021-03-23
EP3422243A1 (fr) 2019-01-02
US20180349647A1 (en) 2018-12-06
EP3428830B1 (fr) 2020-07-22
WO2017102699A1 (fr) 2017-06-22
EP3391278A1 (fr) 2018-10-24
EP3422243B1 (fr) 2021-08-18

Similar Documents

Publication Publication Date Title
EP3391278B1 (fr) Jeton d'identification à microcontrôleur protégé
EP2454704B1 (fr) Methode pour lir des attributes de un jeton d'identite
EP3261011B1 (fr) Procédé de lecture d'attributs à partir d'un jeton d'identification
EP2962439B1 (fr) Lecture d'un attribut enregistré dans un jeton id
EP4128695B1 (fr) Mécanisme d'authentification personnalisé et pour un serveur spécifique
EP3699791A1 (fr) Contrôle d'accès comprenant un appareil radio mobile
EP3465513B1 (fr) Authentification d'utilisateur au moyen d'un jeton d'identification
EP3206151B1 (fr) Procédé et système d'authentification d'un appareil de télécommunication mobile sur un système informatique de service et appareil de télécommunication mobile
EP2389644B1 (fr) Procédé de déverrouillage d'une fonction de carte à puce, et lecteur de carte
EP3271855A1 (fr) Procédé de génération d'un certificat pour un jeton de sécurité
EP2916252B1 (fr) Procédé de transaction électronique et système informatique
EP2752785B1 (fr) Procédé de personnalisation d'un élément sécurisé (Secure Element SE) et système informatique
EP3336732B1 (fr) Authentification d'utilisateur à l'aide de plusieurs caractéristiques
EP3336736B1 (fr) Jeton auxiliaire id destiné à l'authentification mulifacteur
WO2022175398A1 (fr) Authentification d'utilisateur à l'aide de deux éléments de sécurité indépendants
EP3882796A1 (fr) Authentification de l'utilisateur à l'aide de deux éléments de sécurité indépendants
EP3125464A1 (fr) Service de revocation pour un certificat genere par un jeton d'id
WO2016184767A1 (fr) Procédé de lecture d'attributs à partir d'un jeton d'identification
EP2893483A1 (fr) Procédé de personnalisation d'un élément sécurisé (se) et système informatique
DE102011079441A1 (de) Verfahren zum Schutz eines Chipkarten-Terminals gegen unberechtigte Benutzung

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20180716

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20190624

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 502016007809

Country of ref document: DE

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1207512

Country of ref document: AT

Kind code of ref document: T

Effective date: 20191215

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

Free format text: LANGUAGE OF EP DOCUMENT: GERMAN

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20191127

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200227

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200227

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200327

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200419

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20191231

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 502016007809

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191213

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191213

26N No opposition filed

Effective date: 20200828

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191231

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191231

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20191231

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20161213

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20191127

REG Reference to a national code

Ref country code: AT

Ref legal event code: MM01

Ref document number: 1207512

Country of ref document: AT

Kind code of ref document: T

Effective date: 20211213

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20211213

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230526

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20231220

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20231220

Year of fee payment: 8

Ref country code: DE

Payment date: 20231214

Year of fee payment: 8